RE: Strange "shotgun" scan

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

This could be any number of tools, as most scanners allow for control of speed and/or randomization of target ports, 
mainly for the purposes if IDS evasion.  Keeping in mind that there are two common ways to evade an IDS: go so slow 
that it doesn't think anything is wrong, or go so fast that the sensor is overwhelmed and drops packets. 

This fellow may be trying to overwhelm the sensor by scanning at such a rapid rate that packets are dropped from the 
buffer before the IDS generates an alert.  Or, it could simply have been someone who thought that "nmap -T Insane" 
would get the job done faster (only an example, as I haven't studied this for any tool-related pattern).  Kids these 
days are impatient.

Cheers

Keith

-----Original Message-----
From: Ken Hodges [mailto:khodges () wng com]
Sent: Thursday, May 09, 2002 1:30 PM
To: incidents () securityfocus com
Subject: Strange "shotgun" scan






Has anyone seen this type of scan before? I received close 

to 10K scans during a 15 minute period. It appears that the 

person was scanning totally random ports on all of my IP 

range. Just curious if it is some known program, or if 

anyone has seen this before.



Thanks.

Ken.

May  8 18:56:26 24.165.73.85:2070 -> 206.40.XXX.XXA:394 SYN 

12****S* 

May  8 18:56:26 24.165.73.85:2071 -> 206.40.XXX.XXA:478 SYN 

12****S* 

May  8 18:56:26 24.165.73.85:2072 -> 206.40.XXX.XXA:770 SYN 

12****S* 

May  8 18:56:26 24.165.73.85:2073 -> 206.40.XXX.XXA:350 SYN 

12****S* 

May  8 18:56:26 24.165.73.85:2074 -> 206.40.XXX.XXA:126 SYN 

12****S* 

May  8 18:56:26 24.165.73.85:2075 -> 206.40.XXX.XXA:3462 

SYN 12****S* 

May  8 18:56:26 24.165.73.85:2076 -> 206.40.XXX.XXA:1003 

SYN 12****S* 

May  8 18:56:26 24.165.73.85:2077 -> 206.40.XXX.XXA:1546 

SYN 12****S* 

May  8 18:56:26 24.165.73.85:2078 -> 206.40.XXX.XXA:980 SYN 

12****S* 

May  8 18:56:26 24.165.73.85:2079 -> 206.40.XXX.XXA:680 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2100 -> 206.40.XXX.XXA:819 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2101 -> 206.40.XXX.XXA:749 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2102 -> 206.40.XXX.XXA:727 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2103 -> 206.40.XXX.XXA:412 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2104 -> 206.40.XXX.XXA:5432 

SYN 12****S* 

May  8 18:56:27 24.165.73.85:2105 -> 206.40.XXX.XXA:554 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2106 -> 206.40.XXX.XXA:1989 

SYN 12****S* 

May  8 18:56:27 24.165.73.85:2107 -> 206.40.XXX.XXA:460 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2108 -> 206.40.XXX.XXA:696 SYN 

12****S* 

May  8 18:56:27 24.165.73.85:2109 -> 206.40.XXX.XXA:1998 

SYN 12****S* 

May  8 18:56:28 24.165.73.85:2130 -> 206.40.XXX.XXA:867 SYN 

12****S* 

May  8 18:56:28 24.165.73.85:2131 -> 206.40.XXX.XXA:776 SYN 

12****S* 

May  8 18:56:28 24.165.73.85:2132 -> 206.40.XXX.XXA:799 SYN 

12****S* 

May  8 18:56:28 24.165.73.85:2133 -> 206.40.XXX.XXA:1419 

SYN 12****S* 

May  8 18:56:28 24.165.73.85:2134 -> 206.40.XXX.XXA:970 SYN 

12****S* 

May  8 18:56:28 24.165.73.85:2135 -> 206.40.XXX.XXA:20 SYN 

12****S* 

May  8 18:56:28 24.165.73.85:2136 -> 206.40.XXX.XXA:67 SYN 

12****S* 



And it goes on and on....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com